Whenever there is a new report about a targeted attack, the first thing you might ask yourself is: “What is the intention?”
Why would someone invest time to prepare a campaign, send a spear-phishing email with a malicious document attached and waste a zero-day vulnerability in order to silently install a sophisticated malware?
Today, Seculert received information about a new attack targeting several specific companies in a few industries. The attack is called “Shamoon,” due to a string of a folder name within the malware executable (“C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb”).
The interesting part of this malware is that instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the Master Boot Record (MBR) of the computer. Why would someone wipe files in a targeted attack and make the machine unusable?
While it’s rare to find this type of malware in targeted attacks, our friends at Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran, that were infected with another unknown malware. This then lead Kaspersky to the discovery of Flame.
Furthermore, Shamoon is collecting the names of the files it has overwritten and sending this information to another internal machine within the compromised company’s network. The samples we analyzed communicated with a local IP address 10.1.252.19 (see Figure 1).
Figure 1: Shamoon malware trying to communicate with IP address 10.1.252.19
The evidence above suggests that this is a two-stage attack:
The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command and Control (C&C) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C&C through the proxy.
It is still unclear who is behind this attack. We will update this blog with more information when it becomes available.
UPDATE [17-Aug-2012]: Updated the section about Flame, to clarify that it was not used in the same attack as Flame, but rather a different targeted-attack that led to the discovery of Flame.
Is your network compromised? Sign-up to discover threats your other security solutions have missed.